Extracting Firmware from External Memory via JTAG

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
everyone Joe grant here in a hotel room in an undisclosed location bringing you a demonstration of extracting firmware through a JTAG interface a few years ago I was in another hotel room and tweeted a picture of doing this exact same thing didn't really give any details and after the fact people were asking me questions so I figure what better time then to make a video about it my target board for this demonstration is a Linksys wrt54g these things have been around for a long time super hackable lots of information about them online you can get them pretty cheap at thrift stores and on eBay these are really great platform to start working with if you're interested in learning about hardware hacking and exploring different types of embedded systems so JTAG is an industry standard interface that really was designed for low-level chip testing nowadays when we think of JTAG we think of device programming debugging but it didn't start that way and vendors over time have added functionality I've given talks about JTAG in the past so you can find some of those videos on YouTube but today what we're gonna be doing is using JTAG over a tool called the bus blaster to connect to the JTAG interface of our target that's going to communicate with the CPU and then the CPU will communicate for us to the memory and then we'll be able to extract the contents so what we have set up here is our target board we have our jtag connector down here and there's ground on one side and the signals on the other so I wired those directly up to the bus blaster on the bus blaster on the silkscreen there's actually the signal names right on here so you just have to make sure you run the cables to the right spots here and then the bus blaster is connected and controlled over USB that goes to my host computer everything else is done on the software so the first thing we need to do is run the URJ tag tool and I already have that pre-installed on my machine so I can just type J tag and it's going to load up so what we need to do to get our Hardware set up is we're going to define the JTAG hardware that we're using so we're gonna take cable JTAG key put a vendor ID of Oh 403 and a product ID of six zero one zero this vendor ID and Product ID and the JTAG key is basically a general-purpose JTAG Hardware based on an F GIF t 22:32 usb-to-serial adapter so the bus blaster that we're using is essentially the same as the JTAG key where to specify interface zero which is one of the two interfaces for the FT 232 H all right we see connected to lib FTDI driver so now we're good to go what we can do is actually type detect now and we're gonna look out the bus blaster is gonna try to communicate over JTAG on the the pins that we've connected on those signals and query the JTAG chain and see if it can detect any devices and here we go so we can actually see the device ID that was returned by the chip one four seven one two one seven F and URJ tags even parses that out and tells us okay it's manufacture of Broadcom PCM 4712 chip which is pretty handy so now what we can do now that we've detected the device on the chain this Broadcom chip the BCM 47:12 is a MIPS architecture and there's some additional functionality for MIPS called AJ tag which stands for enhanced J tag and what that is is basically debugging and programming functionality built on top of the JTAG specification because J tag itself doesn't define any high-level kind of functionality commands but for MIPS this enhanced J tag is part of that architecture and URJ tag supports that so we can just tell you RJ tag to initialize the ej tag functionality of the chip we're connected to and right away we get a response back we see processor entered debug mode so now we're communicating through you RJ tag to the bus blaster to the wrt54g to the Broadcom CPU and now we're actually in a debug mode which is pretty cool now if you're dealing with another type of architecture or some other type of target chip this particular command might not work this particular process as a whole might not work what we can do now is take advantage of another command within your Jake tag called detect flash and that's gonna query the CPU and basically twiddle the bits of the CPU through J tag and reach out and see if it can detect any external memory connected to it so we have type in our base address here of 3 C 0 0 0 0 0 0 and this base address you need to tell the command where to start looking for the memory and this is something that I had discovered through looking at the U our output log information as this router was booting up the base address that actually printed in the UART output was 1c 0 0 0 0 0 0 so I did a little bit of kind of guessing if for some reason you don't know the base address if you can't get any other clues you might have to do some brute forcing until you actually get the correct response back from the tool so let's see if we can detect the attached memory we see a whole bunch of information coming back this is part of the CFI specification the common flash interface and this information that's coming back is actually stored on the chip on the memory device and sent back to us so we can see some of the low-level kind of configuration stuff we see our device size - it's a 4 megabyte flash and that makes sense because the device on this Linksys board is an intel flash it's a 28 F 320 and a bunch of other information so now that we can actually communicate to the memory device we can just try to read the memory so we're gonna type in the read mem command with our base address and let's go for the whole enchilada all at once 400,000 hex that's 4 megabytes save that to a file dump bin and give that a go you all right so that dump took just a little bit under five hours and extraction over JTAG is generally relatively slow compared to other methods because we're communicating to the target device serially and there's just a lot of information that needs to be transferred and we're basically just shifting data in and shifting data out per the JTAG spec usually though if we're extracting memory in this way time is not of the essence so we just wait for it to take as long as it needs to take one of the first things that I'll do once I successfully extract a binary blob is to run strings on it strings is going to show us all of the printable ASCII text that's within that binary blob and you can see there's all sorts of information in here in the clear stored in the memory things like passwords names of access points there is mine Joe grant wrt54g and lots of information in there that you don't even really have to do any sort of complex reverse engineering to get information about the target another tool we can use is bin wok which is going to look for known signatures and known headers of things like file systems and zip files and image files and it really makes it a lot easier for us to take a large binary dump like in our case four megabytes is really big and not something that we would generally just start reverse engineering without knowing what we're looking at so bin wok is really gonna give us a clue about what's actually contained within that binary once you've successfully extracted firmware from the memory then your hardware problem basically becomes a software problem there lots of great people doing some amazing firmware reverse engineering and exploitation that you can learn from take a look at the exploit tiers who do a lot of crazy consumer electronics hacking Chris Eagle is the IDA Promaster Assyria doing a whole bunch of arm exploitation and Craig Hefner who does a lot of routers and Network types of devices once again I'm Joe grant signing off and hope this video is useful to give you some tips about another way to extract memory firmware extractions through the JTAG interface successful
Info
Channel: Joe Grand
Views: 38,681
Rating: 4.9425287 out of 5
Keywords: joe grand, electronics, hacker, jtag, firmware, hacking, embedded system, reverse engineering, memory, linksys, wrt54g, chip off, urjtag, openocd, bus blaster, dangerous prototypes, router, extraction, kingpin, software, open source, extracting firmware, firmware extraction, binwalk, strings, analysis
Id: IadnBUJAvks
Channel Id: undefined
Length: 7min 59sec (479 seconds)
Published: Thu Dec 27 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.